VeraCrypt, like TrueCrypt, uses the first 1 MB of any key file. As for the generated key files with VeraCrypt 1.0e (and also TrueCrypt), their size is
64 bytes but Windows Explorer show their size as 1 KB because it is the minimum size supported by Explorer display. You can check that they are indeed 64 bytes by going to the file properties.

In the next version, the user can choose the size of the generated key file between 64 bytes and 1 MB, the default being 64 bytes.

Out of curiosity, what does random keyfile sizes between 64 bytes and 1 MB provide for the security?

.

I made the request for random sized keyfile generation to provide a little obfuscation.

Although somewhat security by obscurity, any effort to frustrate an attacker is welcome. The more uncertainty we can force onto the attacker hash type used, algorithm used, what is or isn't a keyfile the better. We must also not always assume a user is trying
to protect themselves from the 3 letter agencies in every scenario.

I personally generated these keyfiles and I don't actually use them on my volumes. I like them to be "available" for an attacker to find. :)

One of VC's strengths is it's uncertainty, there are a good number of variables to every VC volume and now keyfiles. An attacker has to start to make assumptions and guesses when attacking a VC volume. A nightmare situation for them but very good for us :)

However the keyfiles I use aren't the ones I allow them to "find" :) That is one reason for the multiple keyfile request. The more keyfiles scattered across many peoples hard drives the better.

It is very common for "security experts" to undervalue security by obscurity. They all too often dismiss it, however I think they believe this because they approach security from their side only.

If you have ever, even for 1 day tried working on the other team so to speak, you will really appreciate just how demoralising uncertainty is.

If for example I know the password hash is SHA256 and it is iterated 1000 times, I can start work on brute forcing your password from common password lists.

If however I don't know the hash or even how many times it is iterated I cannot even start work.

I actually made a feature request to automatically randomise the hash type used when a user crated a new volume to enhance this effect. Without it the attacker may just assume defaults have been used which provides them with some hope. I want to remove that
feeling :D